Solved

How can I stop warning re mysterious trojan or clean my PC of mchinjdrv.sys?

Posted on 2008-10-03
9
871 Views
Last Modified: 2013-12-04
Recently my AVG software has reported on startup that a trojan threat has been detected in c:\windows\system32\drivers\mchinjdrv.sys.

I've done some research and some say that this is a legit thing and others say it is indeed a trojan threat.  When the warning appears I can choose to Heal but it can't find the file so can't heal it.  I can choose to move it to the Virus Vault but as it can't find it there's nothing to move.  If I choose to Ignore it the box goes away but reappears again on startup.

Regedit won't let me chop the Legacy entries out of the registry and a search of the whole PC (including hidden files) can't find this file either.  I've run a full AVG virus scan and that comes up clean as do scans with Advanced WIndowsCare, RegCure, XsoftSpy and a scanner I tried from Sophos which claimed to search for hidden rootkits.

I've seen a similar issue reported in EE and it mentions something called Rootkit Unlocker (or something like that) but when I looked in to that there was some doubt about it as someone alleged that this software added something to the system to defend against it ever being removed so in a way that's almost as bad as this current possible security risk.

The only way I can see to rid myself of this dialog is to add an exclusion in AVG not to reference systems32\drivers when it starts up which is convenient but hardly secure.

Can anyone advise on how I can get rid of this thing?  Whether it's legit or not, if it poses a threat I'd rather not have it hanging around!  I'm running XP inc SP3 and all latest patches and AVG v8.

Thanks in advance.
0
Comment
Question by:funasset
9 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22632493
Hi,

Try the following:

Download process explorer from any site. (ProcessExplorer.zip)
Run Process Explorer
Find the process mchinjdrv.sys tree
Kill tree
Go to dos prompt
c:\> dir /S /AH /L mchinj*.sys
If you find the file:
attrib -s -h -r mchinjdrv.sys
rename mchinjdrv.sys mchinjdrv.old

Delete mchinjdrv.old

I think this should work.

Let me know,
Cheers.
0
 
LVL 5

Expert Comment

by:MattRichardson
ID: 22632756
0
 

Author Comment

by:funasset
ID: 22633663
Thanks - I'll look in to both of these when I get home.

I'll get back to you!
0
 

Author Comment

by:funasset
ID: 22636059
Nope.  Tried the ProcessExplorer and there was no entry for mchinjdrv.sys and it didn't show up in DOS using the search either.  I'm mystified as to where this damned thing is!!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 22638843
I did some digging for you on this issue. mchinjdrv.sys is for MadCodeHook Injection Driver.  It is used in programs like Spy Sweeper to do injection tests in order to catch malicious code.  Unfortunately, the way it's loaded is that the file is dropped just long enough to load into memory and then is deleted, hence why you can never locate it.  If you are using Spy Sweeper, I'd recommend putting it into your exemption list, or use another Anti-Spyware program.  Below are a couple of sites that you can check out to give you more information regarding mchinjdrv.sys:

http://forums.comodo.com/virusmalware_removal_assistance/mchinjdrvsys-t9257.0.html

http://www.wilderssecurity.com/showthread.php?t=47024
0
 

Author Comment

by:funasset
ID: 22640052
Thanks for the links and I appreciate the digging.  It's a pesky little so-and-so isn't it.

It's AVG's Resident Shield that complains about it - I guess a recent signature update is why it's suddenly picking it up.  The trouble is that as far as I can see I can't add this specific file reference to it's exceptions list.  I can only add the path so that will mean telling AVG not to look in the whole system32\drivers directory which doesn't seem safe to me.  

I thought AVG was one of best AV/anti-spam tools around so if I have to replace it in order to get rid of this warning I'm not entirely sure what to put in it's place.  I can't find an email address or URL to contact the makers of AVG directly either so that I can pick their brains.  Tricky.

0
 
LVL 2

Accepted Solution

by:
ThinkSmartInc earned 500 total points
ID: 22664600
You can go to http://www.avg.com/support-technical and enter your license from AVG to get support.
0
 

Author Comment

by:funasset
ID: 22667397
Thanks.  In the past couple of days the warning hasn't appeared on startup 9 out of 10 times - why it appears on the other 1 occasion I really don't know.  I've scanned my PC with everything I can get my hands on and all reports indicate no infection so although this hook can be used by nasty hackers who need to get out more, it would seem that in this instance it is indeed a false positive and I'll have to contact AVG.

I appreciate your help.

Cheers.
0
 

Author Closing Comment

by:funasset
ID: 31502689
Many thanks for your efforts.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Excel files protected mode 4 39
Virus .zepto files 10 43
where is software market online? 7 61
PCAnywhere 2 55
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now